10.6 eDiscovery, Audit, and Insider Risk Management
Key Takeaways
- eDiscovery identifies, holds, collects, reviews, and exports content for legal cases; Standard offers search/hold/export, while Premium adds custodian management, legal-hold notifications, review sets, and analytics.
- An eDiscovery (legal) hold preserves content for a specific case and is different from retention — a hold is case-driven, retention is ongoing governance.
- Audit records who did what and when across the tenant; Audit (Standard) retains logs ~180 days, while Audit (Premium) retains up to 10 years with custom retention policies and access to crucial events.
- Insider risk management uses signals and policy templates to detect risky internal activity such as data theft before departure, while Communication Compliance reviews messages for policy violations.
eDiscovery: Standard vs Premium and Legal Hold
eDiscovery (electronic discovery) is the Microsoft Purview capability for finding and producing electronic content as evidence in legal cases, investigations, and regulatory requests. It works across Microsoft 365 content locations — Exchange mailboxes, SharePoint sites, OneDrive accounts, and Microsoft Teams — and supports a workflow to identify, place on hold, collect, review, and export relevant content.
SC-900 tests two tiers:
| Capability | eDiscovery (Standard) | eDiscovery (Premium) |
|---|---|---|
| Create cases | Yes | Yes |
| Content search across M365 | Yes | Yes |
| Place content on legal hold | Yes | Yes |
| Export results | Yes | Yes |
| Custodian management | No | Yes |
| Legal-hold notifications to custodians | No | Yes |
| Review sets, tagging, near-duplicate & email-threading analytics | No | Yes |
| Advanced collection & predictive coding / machine learning | No | Yes |
The simple rule: Standard = search, hold, export. Premium adds the people-and-review workflow — managing custodians (the individuals tied to a case), automatically sending and tracking legal-hold notifications, and building review sets for legal teams to cull and analyze evidence at scale. If a scenario mentions custodians, hold notifications, or review/analytics, the answer is eDiscovery (Premium).
A legal hold (eDiscovery hold) preserves content relevant to a case so it cannot be permanently deleted while the case is open, even if a user deletes it or a retention policy would otherwise remove it. The classic trap is hold vs retention: a legal hold is case-specific and temporary (released when the matter ends), whereas retention is ongoing, organization-wide lifecycle governance. Both preserve data, but for different reasons. (Microsoft has been consolidating its eDiscovery experience into a single modern interface, but the Standard-versus-Premium capability split is still how SC-900 frames it.)
Audit and Insider Risk Management
Audit records who did what, where, and when across the Microsoft 365 tenant. Thousands of operations — file accessed, mail sent, label changed, admin role assigned, sign-in, eDiscovery search run — are written to a unified audit log that administrators and investigators can search. Audit is the answer when a scenario asks to review activity history or investigate an action. It comes in two tiers:
| Audit (Standard) | Audit (Premium) | |
|---|---|---|
| Records tenant activity to unified audit log | Yes | Yes |
| Audit-log retention | ~180 days | Up to 1 year by default, configurable to 10 years |
| Custom retention policies per workload/user | No | Yes |
| Access to crucial / high-value events (e.g., mail items accessed, search performed) | No | Yes |
| Higher bandwidth for the management activity API | No | Yes |
The memory hook: Standard = basic logging with shorter retention; Premium = longer retention (up to 10 years), custom retention policies, and high-value "crucial" events for deeper investigations.
Insider Risk Management and Communication Compliance
Insider risk management detects and helps mitigate risky activity originating from inside the organization — for example, an employee downloading large volumes of files right before resigning, exfiltrating data to personal storage, or showing other risky patterns. It correlates signals (from Microsoft 365, Entra, and Defender) using built-in policy templates (data theft by departing users, data leaks, security-policy violations) and produces alerts and cases, with privacy-by-design controls such as pseudonymization so reviewers see activity without unnecessary personal exposure.
Closely related, Communication Compliance scans messages (email, Teams, and connected platforms) for policy violations such as harassment, threats, or regulatory breaches, and routes flagged items for reviewer action.
Putting the investigation tier together
| Need | Right Purview capability |
|---|---|
| Find, hold, review, and export content for a legal case | eDiscovery (Premium for custodians/notifications/review) |
| Review who did what and when across the tenant | Audit (Premium for long retention / crucial events) |
| Detect risky internal activity like pre-departure data theft | Insider risk management |
| Review messages for harassment or policy breaches | Communication compliance |
Trap: all of these can look like security work, but they are Microsoft Purview compliance capabilities, not Microsoft Sentinel (the SIEM/SOAR) or Microsoft Defender XDR (threat protection). Match the verb — discover and produce evidence → eDiscovery; review activity history → Audit; risky insider behavior → insider risk management.
A Worked Investigation Walkthrough and Tier Reminders
Walking a realistic legal matter through these tools shows where each fits. A company is sued and must preserve and produce email and documents from three named employees:
- Open an eDiscovery case and add the three employees as custodians (Premium feature) so all their Exchange, OneDrive, and Teams content is tracked.
- Place a legal hold so the relevant content is preserved and cannot be deleted while the case is open — independent of any retention policy.
- Send and track legal-hold notifications to the custodians (Premium) so they acknowledge the hold.
- Collect and search content, build review sets, and use analytics (near-duplicate detection, email threading) to cull the data (Premium).
- Export the final, relevant set for outside counsel.
- Separately, run an Audit search to show who accessed or sent key messages and when — useful evidence of activity.
This single matter uses eDiscovery (Premium) for the preserve/collect/review/export workflow and Audit for the activity trail — two different Purview tools for two different questions (what content? vs what actions?).
Tier quick-reference for the exam:
| Tool | Lower tier does | Higher tier adds |
|---|---|---|
| eDiscovery | Standard: search, hold, export | Premium: custodians, hold notifications, review sets, analytics |
| Audit | Standard: unified log, ~180-day retention | Premium: up to 10-yr retention, custom policies, crucial events |
And the verb-to-tool map for all of Chapter 10, which is exactly what SC-900 product-selection questions reward:
- Identify / detect sensitive data → classification (SITs, trainable classifiers).
- See where it is / what happened → Content explorer / Activity explorer.
- Classify, mark, encrypt, restrict who opens it → sensitivity labels.
- Stop risky sharing or copying → DLP.
- Keep or delete on a schedule; declare records → retention / records management.
- Find, hold, review, export for a case → eDiscovery.
- Review who-did-what history → Audit.
- Detect risky insider activity → insider risk management.
- Review messages for harassment/policy breaches → communication compliance.
A legal team needs to manage custodians and automatically send and track legal-hold notifications for a case, then build review sets. Which capability is required?
An organization must retain its audit logs for several years and access high-value 'crucial' events for an investigation. Which option meets this?
An employee downloads an unusually large number of files in the days before they resign. Which Microsoft Purview capability is designed to surface this?
How does a legal hold differ from a retention policy?